Академический Документы
Профессиональный Документы
Культура Документы
Ming Luo
Tao Peng
Christopher Leckie
I. I NTRODUCTION
VoIP (Voice over Internet Protocol) technology is gradually
replacing the Public Switched Telephone Network (PSTN)
as a platform for private and public telephony. During this
evolution, the Session Initialization Protocol (SIP) has become
a widely adopted protocol for signaling in VoIP applications
[1] [2]. An important challenge for VoIP service providers
is how to support security management, in order to provide a
level of security that is comparable to users expectations from
PSTN services [3]. Unfortunately, the openness of the Internet
has not only brought enormous benets but also unprecedented
security challenges to VoIP applications. In contrast to the
closed and centrally-controlled PSTN, any system connected
to the Internet is exposed to a variety of attacks, such as denialof-service attacks [4]. In this paper, we focus on one important
aspect of security management for VoIP, namely defending
against Denial of Service (DoS) attacks on the SIP signaling
infrastructure.
SIP is an application-layer signaling protocol for creating,
modifying, and terminating multimedia sessions with one
or more participants [5]. A SIP server is responsible for
interpreting incoming SIP packets and setting up sessions
between callers and callees. SIP is normally run over UDP and
IP protocols, which gives no guarantees of the authenticity of
the source. This makes it vulnerable to many types of attacks,
such as call hijacking and SIP-entity impersonation attacks.
Generally, authentication mechanisms are used to address
these security concerns. However, authentication is a resouceintensive process, which has the potential to be exploited as
41
TABLE I
SIP R EQUEST M ETHOD
Method
INVITE
ACK
OPTIONS
BYE
CANCEL
REGISTER
Purpose
Initiate a session
Acknowledge session initiation
Query server capabilities
Terminate a sesssion
Cancel a pending request
Register a users location
Authentication?
Yes
No
No
Yes
Yes
Yes
TABLE II
SIP S TATUS C ODE
Status Code
1xx
2xx
3xx
4xx
5xx
6xx
Fig. 1.
Description
Informational
Success
Redirection
Client error
Server error
Global failure
Example
100 Trying
200 OK
300 Multiple choices
401 Unauthorized
503 Service unavailable
600 Busy everywhere
Fig. 2.
42
(1)
Fig. 3.
43
Fig. 5.
Fig. 4.
44
Fig. 6.
100
80
60
40
20
0
Fig. 7.
Adaptive Nonce
Static Nonce with Original SER
Static Nonce with Enhanced SER
100
80
60
40
20
0
0
Fig. 8.
45
11
9
8
7
nonce expiry time=20s
nonce expire time=50s
nonce expire time=100s
6
5
100
10
1
0
10
15
20
25
30
35
40
45
Fig. 9.
1000
10
UA Delay (ms)
12
20
40
60
80
100
Fig. 10.
two types of attacks. The rst type of attack is the AdaptiveNonce-Based attack, which was described in the previous
section. The second type of attack is the Spoong attack,
which is similar to the Adaptive-Nonce-Based attack except
that the source IP addresses of the attack packets are spoofed.
The attack trafc rate is set to be 5MB/s for both attack
scenarios. However, the target SIP server has two sets of
congurations, i.e., with or without the PIKE module enabled.
When the PIKE module is enabled, the maximum number of
SIP requests from each IP address is set to be 1,000.
While the target SIP server is under attack, a normal VoIP
agent is instructed to send SIP requests to the server to test
the responsiveness of the target. As shown in Figure 10,
the x-axis represents the nonce expiry time of the SER,
and the y-axis represents the User Agent (UA) delay in a
log scale. Baseline represents the UA delay under normal
operation, which is 1.2 ms. When the nonce expiry time
equals 50 seconds, the UA delay with the PIKE module is
1.36 ms. However, it becomes 127 ms if the PIKE module is
disabled. Hence, the SER using the PIKE module is effective
in defeating Adaptive-Nonce-Based attacks as the UA delay
is close to the Baseline UA delay. In contrast, the UA delay
increases dramatically once the PIKE module is disabled.
However, when a Spoong attack is used, the UA delay
for the target using the PIKE module becomes the worst
of all four scenarios in Figure 10, i.e., the PIKE module
increases the vulnerability of the target server to spoong DoS
attacks. This is a surprising result, which can be explained as
follows. First, Spoong attacks can simulate attack trafc from
a large number of source IP addresses, which can bypass the
PIKE module. Even worse, the PIKE module adds its own
overheads. In order to make sure that no single IP address has
a disproportionally large number of SIP requests, an overhead
is added to all requests to check the frequency of accesses
from that source, which takes up CPU resources. As shown
from Figure 10, when the nonce expiry time equals 20 seconds,
the UA delay is 13 ms for the Adaptive-Nonce-Based attack
without the PIKE module, but 124 ms for the Spoong attack
with the PIKE module enabled. Thus, adding an additional
layer of defense can create the risk of creating a new source
46
47
On the contrary, it can make things even worse as authentication is generally an expensive process, which can deplete
resources even more quickly under large-volume DoS attacks.
Finally, we proposed several promising research directions
towards solving DoS attack problems in this context.
ACKNOWLEDGMENT
We acknowledge the open source community for their
generous contribution to make our work possible. We thank
the anonymous reviewers for their insightful comments. This
work was supported by the Australian Research Council.
R EFERENCES
[1] D. Geneiatakis, G. Kambourakis, T. Dagiuklas, C. Lambrinoudakis, and
S. Gritzalis, SIP security mechanisms: A state-of-the-art review, in
Proceedings of the Fifth International Network Conference (INC 2005),
Samos, Greece, 2005, pp. 147155.
[2] D. Sisalem, S. Ehlert, D. Geneiatakis, G. Kambourakis, T. Dagiuklas,
Jir, M. Rokos, O. Botron, J. Rodriguez, and J. Liu, Towards a secure
and reliable VoIP infrastructure, http://www.snocer.org/Paper/COOP005892-SNOCER-D2-1.pdf.
[3] A. Conway and B. Khasnabish, End-to-end network reliability modeling of enterprise VoIP services, in Proceedings of 10th IEEE/IFIP
Network Operations and Management Symposium (NOMS 2006), Vancouver, Canada, April 2006, pp. 404413.
[4] T. Peng, C. Leckie, and K. Ramamohanarao, Survey of network-based
defense mechanisms countering the DoS and DDoS problems, ACM
Comput. Surv., vol. 39, no. 1, 2007.
[5] J. Rosenberg, H. Schulzrinne, G. Camarillo, A. Johnston, J. Peterson,
M. H. R. Spark, and E. Schooler, Session initiation protocol, RFC
3261, the Internet Engineering Task Force (IETF), 2002.
[6] D. Sisalem, J. Kuthan, and G. Schafer, Denial of service attacks
and SIP infrastructure:attack scenarios and prevention mechanisms,
http://www.snocer.org/Paper/sisalem dos.pdf.
[7] J. H. J. Franks, P. Hallam-Baker, HTTP authentication: Basic and digest
access authentication, RFC 2617, the Internet Engineering Task Force
(IETF), 1999.
[8] Open source SIP stack: PJSIP library, http://www.pjsip.org.
[9] Ubuntu linux, http://www.ubuntu.com.
[10] SIP Express Router (SER), http://www.iptel.org.
[11] MySQL, http://www.mysql.com.
[12] R. Rivest, MD5 hashing scheme, RFC 1321, the Internet Engineering
Task Force (IETF), 1992.
[13] PIKE module, http://www.iptel.org/ser/doc/modules/pike.
[14] T. Peng, C. Leckie, and K. Ramamohanarao, Prevention from distributed denial of service attacks using history-based IP ltering, in
Proceedings of 38th IEEE International Conference on Communications
(ICC 2003), Anchorage, Alaska, USA, August 2003, pp. 482486.
[15] V. D. Gligor, A note on denial-of-service in operating systems, IEEE
Trans. Softw. Eng., vol. 10, no. 3, pp. 320324, 1984.
[16] E. Y. Chen, Detecting DoS attacks on SIP systems, in 1st IEEE
Workshop on VoIP Management and Security, April 2006, pp. 5358.
[17] F. Cao and S. Malik, Vulnerability analysis and best practices for
adopting IP telephony in critical infrastructure sectors, in Proceedings
of 1st International Conference on Security and Privacy for Emerging
Areas in in Communication Networks, September 2005, pp. 171180.
[18] W. Marshall, A. F. Faryar, K. Kealy, G. de los Reyes, I. Rosencrantz,
R. Rosencrantz, and C. Spielman, Carrier VoIP security architecture,
in Proceedings of 12th International Telecommunications and Network
Strategy and Planning Symposium, NETWORKS 2006, November 2006,
pp. 16.
[19] A. Nascimento, A. Passito, E. Mota, E. Nascimento, and L. Carvalho,
Can I add a secure VoIP call? in Proceedings of the 2006 International
Symposium on a World of Wireless, Mobile and Multimedia Networks
(WoWMoM06), June 2006.
[20] H. Abdelnur, V. Cridlig, R. State, and O. Festor, VoIP security assessment: Methods and tools, in Proceedings of 1st IEEE Workshop on
VoIP Management and Security, Vancouver, Canada, April 2006, pp.
2934.
48